vaultofthearchonfandomcom-20200214-history
119444-about-that-authenticator
Content ---- There is - back up your phone. The authentication code for the app will be saved They're meant to be difficult to remove from your account. Wouldn't be much good as a security option if they werent | |} ---- ---- ---- ---- ---- There already is one. It's called contacting a CSR and having them help you fix it. Anything else would defeat the whole point of authenticators. | |} ---- ---- ---- This ^ The hassle with the authenticator is worth it compared to losing your account. | |} ---- I don't see this as an either/or situation as in EITHER you get the authenticator OR you get compromised. I don't believe most accounts get "hacked" just out of the blue either. My friends and i have played online games for 8+ years and none of us ever got hacked on any of them, including this one .I believe most accounts that do get "hacked" are compromised by people that know you that somehow got your pass or *cough* you gave it to them at some point. I did get the authenticator on W* simply because I was too cheap to pony up the g for the mounts, not because I'm paranoid I'll get hacked. I keep this annoying evil so they don't take the mounts away. (I'm SO cheap :P) This is the ONLY game I have an auth. on simply because it offered the free mount. | |} ---- Since it has never happened to you, how can you say for sure how it actually happens? I've had my WAR account hacked, and an attempt on my WoW account(attempt because I did have the authenticator on it). In neither case had a I given my account info to anyone, including my husband. But in both cases I did have kinda crappy passwords :P But I won't say that's how everyone that's been hacked got hacked. | |} ---- Research does state that most hacks are by people you know - having said that, trojans and key loggers are also massively to blame for hacking - qucik gold making for those good old jolly gold farmers :angry: | |} ---- ---- ---- Remember that sometimes the user isn't directly at fault. This is especially true if your WildStar password isn't unique to WildStar. Many players use the same couple passwords everywhere, including places they consider "safe". Even if their machine/environment are secured, the fact that they gave their credentials to many different websites/platforms = higher chance for one of that website to get compromised and for the password to end up in the wild. This can happen -years- after you entered your credentials somewhere hence why it is recommended to change your passwords often, and that's again something most of people don't do unless enforced. Yes even us (employees) for example are always annoyed when we get that Windows reminder forcing us to change our password every 90 days and preventing us to use an old password for 3 consecutive years. If that policy wasn't in place in companies (including ours), I can tell you than less than 5% of users would actually take the time to change their password even once a year... Having two factor authentication (2FA) doesn't mean you should stop following all best practices when it comes to logins and passwords but at the very least if you do not, it will add a layer of security which is always welcomed :) Last but not least, we are currently working on adding some grace period for 2FA, which mean that if you connect from a known IP address + have used 2FA is the past X days (exact number to be determined), you will be able to log on without having to enter your 2FA code again. This should make using 2FA more convenient and hopefully encourage more players to use 2FA while still providing an excellent level of protection. | |} ---- That's similar to how NCsoft's login (and I think GW2's?) works. If you log in from a new IP you have to do a few extra steps and then can choose if you like to store the IP. I get hit by that periodically as my ISP changes my IP on occasion. It'd be nice not to have to enter via clicks the code every single time. | |} ---- The NCSOFT website will save an IP Address for ever. We won't do that for WildStar login, there will be a grace period but your IP won't be saved for ever so you will still be prompted for your 2FA code every now and then (will still be way more convenient that it is right now, especially when you get disconnected and need to log back on really fast). As for clicks and digits randomization, this measure is there to beat basic keyloggers. Granted it's not 100% perfect (nothing is when it comes to security), but it is still way better than just typing digits directly with your keyboard. That's a system many online banking sites use. | |} ---- ---- I thought the same way you do until my account got hacked. I have never given my password to anyone for any reason, and assumed that the people who do get hacked are engaging in risky behaviors like handing their account info to guildmates or boosters. But be that as it may, somehow hackers in this game managed to get past my password--which was a moderately strong one--and sold off all my possessions on all my characters. I reported it immediately, had my account locked down, and recovered it. I have never been hacked in any other game before. This was a first. Was it just a matter of time? Is security here simply easier to get past? I don't know. I do know that the authenticator gives you a buff icon that is visible to others, which tells hackers who is and isn't vulnerable to their efforts, thereby literally painting a target on people who don't have 2FA for whatever reason. You'd think Carbine would fix that. They haven't. I also know that this: is only a problem if your game's security watches someone attempt to login 1000 times a second, getting it wrong thousands of times in a row, and doesn't find that to be cause for alarm. If that seems like incredibly lax security, that's because it is. No game should let logins try and fail to provide the right password indefinitely--after no more than 5 incorrectly attempted logins, it should lock down the account for at least 20 minutes and send an automated warning email to the account owner warning them that someone tried to hack their account, with a link to reactivate the account. So yeah, 2FA is swell. But since the only supported authenticators are specific to people with Google Android or iOS, it's not a substitute for some basic, obvious moves to secure the login UI from automated shotgunned password guessing. | |} ---- That is not how they work.... | |} ---- Responding to a quote from you, chum. I said it because you said it. :rolleyes: | |} ---- ^this Hackers don't brute force anything at this scale; it's not profitable. They use keyloggers, click trackers, screen scrapers, remote access, they'll even gather lists of registration emails and passwords from sites of similar backgrounds (like someone is probably trying to break wildstar-roleplay.com for its passwords and usernames, and will fire those into the login just to make sure someone didn't use the same email/password combo for both the client and any number of other websites). Really dedicated hackers might even be able to pull a man-in-the-middle attack, mimicking your IP. All you know is that whatever the attack is, it will almost surely be automated as much as possible. They're casting their nets wide and catching people between password changes. 2FA essentially makes your system as unautomatable as possible, especially with the number-salad they pull at login (that seems like a small measure, but means 100% of keyloggers and about 99% of standard clicktracers wouldn't work in a stutter attack and that someone would specifically have to be targeting a known Wildstar account to even try it). If you don't have it, your Wildstar account is about as protected as your email; it just takes one slip up between password changes falling into the wrong hands. They don't need to fire a thousand login attempts at Carbine to log in. They're just trying to find a thousand individual logins to throw and seeing what sticks. At that rate, accounts with 2FA just aren't usually worth the work to break. Psyknis's post you were responding to was indicating a specifically shared password, since most people don't actually have completely idiosyncratic passwords. That said, Carbine might notice if you fire a thousand logins from the same IP. Carbine might not notice if you fire a thousand guesses from a thousand different IPs cycling between fifty different logins. It is possible to brute force a password. Psyknis is bringing up a good way for a password to become exceptionally secure against a brute force hack while still being very easy to remember. At present, I don't think Carbine's password system is set up to be that long (I'm not sure, I use 2FA so I don't have to worry about completely resetting my password every few months). | |} ----